More than 70 million sites are managed via cPanel software, according to the company.
Security researchers from Digital Defense have discovered a major security issue in cPanel, a popular software suite that facilitates the management of a web hosting server.
Attackers could exploit the flaw to bypass two-factor authentication (2FA) for cPanel accounts and manage the associated websites.
“Digital Defense, Inc., a leader in vulnerability and threat management solutions, today announced that its Vulnerability Research Team (VRT) uncovered a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform.” reads the post published by Digital Defense. “c_Panel &WHM version 11.90.0.5 (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.”
The flaw could have a dramatic impact because the software suite is currently used by web hosting providers to manage more than 70 million domains across the world.
The experts discovered that the 2FA implementation of cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed attackers to guess URL parameters and bypass 2FA.
The exploitation of this bug requires that attackers have valid credentials for a targeted account.
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.” reads a security advisory released by the company. “Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”
Researchers added that attackers could bypass the 2FA in a few minutes. This issue was addressed with the release of the following builds:
Website admins urge to check if their hosting provider has updated their cPanel installation.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…
Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…
Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…
Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…
Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…
This website uses cookies.
